RalMay
commented
3 years ago Sorry, appears quite easy to me: Just tunnel AG VPN traffic ('unhandeled') through AG Ad Blocker. As you do with so much other apps (firewall log shows "HTTPS tunnel").
Open ameshkov opened 3 years ago
RalMay
commented
3 years ago Sorry, appears quite easy to me: Just tunnel AG VPN traffic ('unhandeled') through AG Ad Blocker. As you do with so much other apps (firewall log shows "HTTPS tunnel").
ameshkov
commented
3 years ago Just tunnel AG VPN traffic ('unhandeled') through AG Ad Blocker.
The problem here is the infinite loop that would occur in this case. AG VPN will try to establish the VPN tunnel -> it will be routed via AG -> AG will try to route this tunnel through AG VPN -> we're in a loop.
We'll need to first make sure that AG does not attempt to route the VPN traffic in a loop, which is covered in this task: https://github.com/AdguardTeam/AdguardForAndroid/issues/3923
RalMay
commented
3 years ago Definitition: Adguard ad Blocker == "AAB", Aduard VPN == "AVPN"
I do not see that! "compatibility mode" uses Socks5, right? So AAB connects to AVPNs S5. AVPN then initiates traffic trough AAB. AAB knows that AVPN is AVPN and tunnels AVPNs traffic directly to the internet.
Ain't that just a few lines of code?
RalMay
commented
3 years ago regarding our Telegram conversation an idea about "DNS" (yes, a few more lines, sorry): Have AVPN tell AAB its connection state. As long as AVPN is disconnected allow/direct DNS requests to the internet As soon as AVPN is connected tunnel DNS requests through AVPN.
ameshkov
commented
3 years ago Ain't that just a few lines of code?
In the current version, AG is not able to selectively proxy connections so it's either everything goes through the proxy or everything goes directly to the Internet. This feature is definitely not a few lines of code.
But even when it's ready (it is almost done, probably the next nightly will have it), there are many edge cases to consider. There might not be too much code, but there's a lot of work nevertheless.
As long as AVPN is disconnected allow/direct DNS requests to the internet As soon as AVPN is connected tunnel DNS requests through AVPN.
In the current version, the solution would be to choose an encrypted DNS provider in AG settings. AG will connect to this DNS server directly without using the proxy.
However, we're planning to change this behavior in the future and route encrypted DNS traffic through the outbound proxy and we'll face this issue.
The solution you proposed will only cover the AVPN integration case, but actually, there are more. For instance, the user might be using a Shadowsocks app or Orbot and route traffic through it and run into the same situation. Probably, the simplest solution would be to make an exception for DNS traffic and route it directly when the outbound proxy is dead.
infinitewaveparticle
commented
3 years ago @ameshkov
In the current version, the solution would be to choose an encrypted DNS provider in AG settings. AG will connect to this DNS server directly without using the proxy.
Will choosing a custom encrypted DNS provider also force AdGuard to connect directly to it?
Probably, the simplest solution would be to make an exception for DNS traffic and route it directly when the outbound proxy is dead.
Does AdGuard VPN connect via Socks5? If so, is this secure? I don't know a ton about VPN protocols, but for now I use an HTTPS protocol via AdGuard's proxy. I'd like to switch to AdGuard VPN, but only if my security & privacy are both equal to or better than they are now.
ameshkov
commented
3 years ago Will choosing a custom encrypted DNS provider also force AdGuard to connect directly to it?
Yep.
Does AdGuard VPN connect via Socks5? If so, is this secure?
Here's how the integration works:
The SOCKS5 connection is local and is made right on your device so no one can see what's inside. The traffic then goes through a secure and encrypted tunnel so there're no issues there.
infinitewaveparticle
commented
3 years ago 👍👍👍! Thank you for the explanations!
Sent from ProtonMail mobile
-------- Original Message -------- On Aug 2, 2021, 5:38 AM, Andrey Meshkov wrote:
Will choosing a custom encrypted DNS provider also force AdGuard to connect directly to it?
Yep.
Does AdGuard VPN connect via Socks5? If so, is this secure?
Here's how the integration works:
- AdGuard VPN establishes a secure tunnel to the VPN server.
- At the same time it runs a local SOCKS5 proxy server.
- AdGuard routes all traffic through that local proxy server (which then goes to the secure tunnel).
The SOCKS5 connection is local and is made right on your device so no one can see what's inside. The traffic then goes through a secure and encrypted tunnel so there're no issues there.
— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.
RalMay
commented
3 years ago appears another issue (==thread to me) but Andrey asked to add it here:
Missing in Adguard for Android products: Killswitch when using AG VPN and AG AB in compatibility mode. Why? As soon as AG VPN disconnects: AG AB reconfigures from comp mode to solo mode, by that using my internet connection and by that revealing my IP address to every app(s vendor) that is allowed to access internet. Easiest solution: (Give an option to) Do not reconfigure AG AB when AG VPN loses connection or is intentionally disconnected.
infinitewaveparticle
commented
3 years ago Could enabling a Kill Switch use Android's Accessibility permission to automatically enable "Block connections without VPN" in Android's Settings?
And then could @RalMay 's issue be fixed by temporarily switching to an AdGuard VPN server via SOCKS5 and then once the AdGuard VPN app is reconnected switch to compatibility mode again?
Just throwing out ideas from a non-Android-developer :)
Sent from ProtonMail mobile
-------- Original Message -------- On Aug 9, 2021, 3:46 PM, RalMay wrote:
appears another issue (==thread) to me but Andrey asked to add it here:
Missing in Adguard for Android products: Killswitch when using AG VPN and AG AB in compatibility mode. Why? As soon as AG VPN disconnects: AG AB reconfigures from comp mode to solo mode, by that using my internet connection and by that revealing my IP address to every app(s vendor) that is allowed to access internet. Easiest solution: (Give an option to) Do not reconfigure AG AB when AG VPN loses connection or is intentionally disconnected.
— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android.
ameshkov
commented
3 years ago And then could @RalMay 's issue be fixed by temporarily switching to an AdGuard VPN server via SOCKS5 and then once the AdGuard VPN app is reconnected switch to compatibility mode again?
You're right, currently, the way to solve this is to set up AdGuard VPN to work as a SOCKS5 proxy, and configure AG to use that proxy. I've updated the instruction accordingly.
infinitewaveparticle
commented
3 years ago @ameshkov Could this be setup to happen automatically if Kill Switch is enabled? In my mind, using both of my suggestions, internet connections could be refused when attempted as AdGuard reestablishes itself to both SOCKS5 and then back to compatibility mode. I could be wrong.
Sent from ProtonMail mobile
-------- Original Message -------- On Aug 10, 2021, 10:06 AM, Andrey Meshkov wrote:
And then could @.***(https://github.com/RalMay) 's issue be fixed by temporarily switching to an AdGuard VPN server via SOCKS5 and then once the AdGuard VPN app is reconnected switch to compatibility mode again?
You're right, currently, the way to solve this is to set up AdGuard VPN to work as a SOCKS5 proxy, and configure AG to use that proxy. I've updated the instruction accordingly.
— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android.
ameshkov
commented
3 years ago @infinitewaveparticle yes, that's the reason for this GH issue in general. In the future, there should be a button that would switch AGVPN<->AG integration to the "Kill-Switch" mode, i.e. traffic is not allowed until it's routed through AGVPN.
infinitewaveparticle
commented
2 years ago I just wanted to note that simply using the manual SOCKS5 connection mode for using both apps together pretty much works for me. When AdGuard VPN disconnects (sadly too often), and I'm in manual SOCKS5 mode, no data works for any apps regardless if I have control over my VPN settings (because it's still trying to route through the local SOCKS5 to AdGuard VPN which isn't connected anymore so the connection dies at AdGuard VPN). For example, in Android 5 and Android TV there are no system VPN settings, but SOCKS5 Mode prevents internet connections if AdGuard VPN disconnects. Same goes for the limited settings in Android 7.
However, while in Compatibility Mode, if AdGuard VPN disconnects, AdGuard simply kills the automatic SOCKS5 connection and restarts without it, thus allowing internet connections without the VPN.
So my suggestions would be to:
1) simply force AdGuard to keep the SOCKS5 connection enabled (and not restart the connection) even if AdGuard VPN disconnects; and
2) force AdGuard VPN to reconnect in the event of a disconnect; if this fails force it to choose the fastest server (and do not restart AdGuard's connection no matter what).
And like I said in another comment, for some reason switching the logging level for AdGuard VPN to 'Extended' keeps the AdGuard VPN connection live. This eats up disk space and battery, but it's a temporary solution to the disconnecting issue that nearly everyone complains about. I hope that helps you fix it somehow. After all, there's no way to get logs of an issue if the very act of getting logs prevents the issue.
Formid0
commented
2 years ago It's unbelivable this issue is still on since 2019. Btw, in order to have a kill switch, I followed the suggestion to get Adguard VPN work in SOCKS mode and... finally, it works as intended (no connectons if VPN is off). I have an issue with this procedure: Android 11 will block any connection (network error inside AG apps and everywhere) if I select "Block connections without VPN" within Android settings (Network - VPN) as mentioned in the first post:
**Now open Android settings**
Go to Network & internet -> VPN
Tap on "AdGuard" there (NOT AdGuard VPN, it's important)
Enable "Always-on VPN" and "Block connections without VPN"
S7venLights
commented
2 years ago Perhaps this is not the same issue but it's related:
I have only the VPN installed on android 12.
How can I have some apps use the internet without VPN and others only ever through the VPN?
SiliconBased28
commented
1 year ago Thank you,
This method works really well!
However is there anything one can do (other than turning off the kill switch temporarily) when an app won't work when using a vpn (i.e. online banking apps)?
KatWritesCode
commented
1 year ago After the latest update (AdGuard 4.0 and AdGuard VPN 2.3.1) I've figured out how to get AdGuard and AdGuard VPN working together with the killswitch.
First, configure the AdGuard VPN app. This setting will have AdGuard VPN connect to AdGuard's servers and offer connection to this via a Proxy server running on localhost port 1080 (127.0.0.1:1080).
Next, configure the AdGuard app. These settings will route all your apps, or those AdGuard deems compatible with AdGuard protection (more on this later), through the proxy we just set up above.
Last, configure the kill switch in Android Settings. Now you can set AdGuard (NOT AdGuard VPN) as Always-On VPN, and then enable the kill switch, which says something like "Block connections without VPN". This process can vary depending on your phone model and manufacturer. Now you can set AdGuard (NOT AdGuard VPN) as Always-On VPN, and then enable the killswitch. This process can vary depending on your phone model and manufacturer.
NOTE (continuation from above): You may need to be selective for other apps in a similar way as AdGuard VPN was partially excluded above. Tweak these settings from Settings>Filtering>Apps>App Management
infinitewaveparticle
commented
1 year ago For #13 what list in low level settings?
Sent from ProtonMail mobile
-------- Original Message -------- On Jul 7, 2023, 5:22 PM, KatWritesCode wrote:
After the latest update (AdGuard 4.0 and AdGuard VPN 2.3.1) I've figured out how to get AdGuard and AdGuard VPN working together with the killswitch.
AdGuard VPN app:
- Go to Settings>Advanced Settings>Operating Mode
- Select "SOCKS5"
- You will be warned that compatibility mode will be disabled; accept this prompt
- Go to Settings
- Turn on the switch to launch at device startup
AdGuard app:
Go to Settings>Filtering>Apps>App Management
Tap the three stacked dots in the upper right corner
Select "Route all through AdGuard
On the next prompt, click the green button labeled "Route compatible"
Still in App Management, find AdGuard VPN in the list and select it
Turn off the three switches below:
Filter app content
Filter HTTPS
Route app through proxy
Go to Settings>Filtering>Network>Proxy>Proxy Server
If you see AdGuard VPN proxy there with IP address 127.0.0.1 and port 1080, select it
If you don't see that proxy server, add it and select it
Go to Settings>General>Advanced>Low-level settings nd make sure the list is empty unless you specifically know what you're doing with the entries you leave
Go to Home
Press and hold on the icon second from right, just left of the AdGuard VPN icon
Make sure DNS protection is on and an encrypted DNS server is selected
Go to Settings>General
Turn the switch on to launch AdGuard at system startup
Android Settings: Now you can set AdGuard (NOT AdGuard VPN as Always-On VPN, and then enable the killswitch. This process can vary depending on your phone model and manufacturer.
Note: You may need to be selective for other apps in a similar way as AdGuard VPN was partially excluded above. I use messaging app Beeper and I had to set the same exclusions for this app.
— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.Message ID: @.***>
KatWritesCode
commented
1 year ago For #13 what list in low level settings?
Ah, I missed that! Updated. Looking for "Excluded apps” there.
Here's the problem:
Solving this would be tricky. When the kill switch is enabled, we'll have to route AdGuard VPN traffic via AdGuard, otherwise Android would block it. There's a solution to this that involves rather complicated manual setup. Can we help users with this? Make it a one-tap setting in AG or AG VPN?
The current solution to this is to follow these steps.
UPD: note that this instruction will only work after https://github.com/AdguardTeam/AdguardForAndroid/issues/3923 is done.
In the AdGuard VPN app
In the AdGuard app: make sure all apps are routed via AdGuard
You need to do this step to make sure that all apps' traffic is routed through AdGuard. If you don't do this and some apps are excluded from routing, they won't be able to connect to the Internet (that's just how Kill Switch works in Android).
pref.excluded.packagesthere and remove everything from it.In the AdGuard app: use AdGuard VPN's SOCKS proxy
127.0.0.1and proxy port to1080.Now open Android settings
Now you're all set! The traffic of all your apps is now routed through the AdGuard app. AdGuard routes it through AdGuard VPN's proxy and from there it goes through the VPN server of your choice.
You're all set, Kill Switch is now working.